gitlabFork/ISPConfig3.git - Solinfo Gitblit

			@@ -27,14 +27,98 @@
			EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
			*/

			require_once('../../lib/config.inc.php');
			require_once('../../lib/app.inc.php');
			require_once '../../lib/config.inc.php';
			require_once '../../lib/app.inc.php';

			function normalize_string($string, $quote, $allow_special = false) {
			$escaped = false;
			$in_string = true;
			$new_string = '';

			for($c = 0; $c < mb_strlen($string); $c++) {
			$char = mb_substr($string, $c, 1);

			if($in_string === true && $escaped === false && $char === $quote) {
			// this marks a string end (e.g. for concatenation)
			$in_string = false;
			continue;
			} elseif($in_string === false) {
			if($escaped === false && $char === $quote) {
			$in_string = true;
			continue;
			} else {
			continue; // we strip everything from outside the string!
			}
			}

			if($char === '"' && $escaped === true && $quote === '"') {
			// unescape this
			$new_string .= $char;
			$escaped = false;
			continue;
			} elseif($char === "'" && $escaped === false && $quote === '"') {
			// escape this
			$new_string .= '\\' . $char;
			continue;
			}

			if($escaped === true) {
			// the next character is the escaped one.
			if($allow_special === true && ($char === 'n' \|\| $char === 'r' \|\| $char === 't')) {
			$new_string .= '\' . "\\' . $char . '" . \'';
			} else {
			$new_string .= '\\' . $char;
			}
			$escaped = false;
			} else {
			if($char === '\\') {
			$escaped = true;
			} else {
			$new_string .= $char;
			}
			}
			}
			return $new_string;
			}

			function validate_line($line) {
			$line = trim($line);
			if($line === '' \|\| $line === '<?php' \|\| $line === '?>') return $line; // don't treat empty lines as malicious

			$ok = preg_match('/^\s\$wb\[(["\'])(.?)\\1\]\s=\s(["\'])(.?)\\3\s;\s*$/', $line, $matches);
			if(!$ok) return false; // this line has invalid form and could lead to malfunction

			$keyquote = $matches[1]; // ' or "
			$key = $matches[2];
			if(strpos($key, '"') !== false \|\| strpos($key, "'") !== false) return false;

			$textquote = $matches[3]; // ' or "
			$text = $matches[4];

			$new_line = '$wb[\'';

			// validate the language key
			$key = normalize_string($key, $keyquote);

			$new_line .= $key . '\'] = \'';

			// validate this text to avoid code injection
			$text = normalize_string($text, $textquote, true);

			$new_line .= $text . '\';';

			return $new_line;
			}

			//* Check permissions for module
			$app->auth->check_module_permissions('admin');
			$app->auth->check_security_permissions('admin_allow_langedit');

			//* This is only allowed for administrators
			if(!$app->auth->is_admin()) die('only allowed for administrators.');
			if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');

			if(!$conf['language_file_import_enabled']) $app->error('Languge import function is disabled in the interface config.inc.php file.');

			$app->uses('tpl');

			@@ -45,20 +129,26 @@

			// Export the language file
			if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'])) {

			//* CSRF Check
			$app->auth->csrf_token_check();

			$lines = file($_FILES['file']['tmp_name']);
			// initial check
			$parts = explode('\|',$lines[0]);
			$parts = explode('\|', $lines[0]);
			if($parts[0] == '---' && $parts[1] == 'ISPConfig Language File') {
			if($_POST['ignore_version'] != 1 && $parts[2] != $conf["app_version"]) {
			$error .= 'Application version does not match. Appversion: '.$conf["app_version"].' Lanfile version: '.$parts[2];
			} else {
			unset($lines[0]);


			$buffer = '';
			$langfile_path = '';
			// all other lines
			$ln = 1;
			foreach($lines as $line) {
			$parts = explode('\|',$line);
			$ln++;
			$parts = explode('\|', $line);
			if(is_array($parts) && count($parts) > 0 && $parts[0] == '--') {
			// Write language file, if its not the first file
			if($buffer != '' && $langfile_path != '') {
			@@ -66,7 +156,7 @@
			$error .= "File exists, not written: $langfile_path<br />";
			} else {
			$msg .= "File written: $langfile_path<br />";
			file_put_contents($langfile_path,$buffer);
			file_put_contents($langfile_path, $buffer);
			}
			}
			// empty buffer and set variables
			@@ -76,30 +166,39 @@
			$file_name = trim($parts[3]);
			if(!preg_match("/^[a-z]{2}$/i", $selected_language)) die("unallowed characters in selected language name: $selected_language");
			if(!preg_match("/^[a-z_]+$/i", $module_name)) die('unallowed characters in module name.');
			if(!preg_match("/^[a-z\._]+$/i", $file_name) \|\| stristr($file_name,'..')) die("unallowed characters in language file name: '$file_name'");
			if(!preg_match("/^[a-z\._\-]+$/i", $file_name) \|\| stristr($file_name, '..')) die("unallowed characters in language file name: '$file_name'");
			if($module_name == 'global') {
			$langfile_path = trim(ISPC_LIB_PATH."/lang/".$selected_language.".lng");
			} else {
			$langfile_path = trim(ISPC_WEB_PATH.'/'.$module_name.'/lib/lang/'.$file_name);
			}
			} elseif(is_array($parts) && count($parts) > 1 && $parts[0] == '---' && $parts[1] == 'EOF') {
			// EOF line, ignore it.
			} else {
			$buffer .= $line;
			$line = validate_line($line);
			if($line === false) $error .= "Language file contains invalid language entry on line $ln.<br />";
			else $buffer .= $line."\n";
			}
			}
			}
			}
			}

			$app->tpl->setVar('msg',$msg);
			$app->tpl->setVar('error',$error);
			$app->tpl->setVar('msg', $msg);
			$app->tpl->setVar('error', $error);

			//* load language file
			//* SET csrf token
			$csrf_token = $app->auth->csrf_token_get('language_import');
			$app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']);
			$app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']);

			//* load language file
			$lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_import.lng';
			include($lng_file);
			include $lng_file;
			$app->tpl->setVar($wb);

			$app->tpl_defaults();
			$app->tpl->pparse();


			?>
			?>